The Threat Insider Protocol

The Threat

Cyberattacks involving insiders – employees, suppliers, or other companies legitimately connected to a company’s computer systems – are serious and on the rise. They account more than 20% of all cyberattacks. Widely used safeguards are ineffective against them. Attacks involving connected companies or direct employees pose a more harmful threat. Insiders can do much more serious harm than external hackers can.

The Key

To reduce their vulnerability to insider attacks, companies should apply the same approach they used to improve quality and safety: Make it part of everyone’s job.

The Solution

Employees should be monitored rigorously and told what threats are likely so that they can report suspicious activities. Suppliers and distributors should be required to minimize risks and should be regularly audited. Leaders should work closely with their IT departments to ensure that crucial assets are protected.

Why Insiders?

Because they have much easier access to systems and a much greater window of opportunity. The damage they cause may include suspension of operations, loss of intellectual property, reputational harm, plummeting investor and customer confidence, and leaks of sensitive information to unauthorized third parties, including the media. According to various estimates, at least 80 million insider attacks occur in United States each year. But the number may be much higher, because they often go unreported. Clearly, their impact now totals in the tens of billions of dollars a year.

Many organizations admit they still don’t have adequate safeguards to detect or prevent attacks involving insiders.

One reason is that they are still in denial about the magnitude of the threat.

Insider threat comes from people who exploit legitimate access to an organization’s cyber assets for unauthorized and malicious purposes or who unwittingly create vulnerabilities.

They may direct employees (from janitors up to the C-suite), contractors, third-party suppliers of data and computing services. Edward Snowden, who famously stole the sensitive information from the U.S. National Security Agency, worked for an NSA contractor.

With this legitimate access they can steal, disrupt, or corrupt computer systems and data without detection by ordinary perimeter-based security solutions – controls that focus on points of entry rather than what or who is legitimately already inside.

According to Vormetric, a leading computer security company, 54% of managers’ at large and mid-size organizations say that detecting and preventing insider attacks is harder today than it was in 2011. Such attacks are increasing both in number and as a percentage of all cyberattacks reported-as a study conducted by KPMG found that they had risen 4% in 2007 to 20% in 2010.

In other research, 80 senior managers discussed their awareness of insider cyber security threats and followed-up with in-depth case studies of actual incidents.

Here’s a summary of what they found:

  • Managers across all countries and most industries (banks and energy firms are the exception) are largely ignorant of insider threats.
  • They tend to view security as somebody else’s job – usually the IT departments.
  • Few managers recognize the importance of observing unusual employee behavior – such as visiting extremist websites or starting to work at odd times of the day – to obtain advance warning of an attack.
  • Nearly two-thirds of internal and external security professionals find it difficult to persuade board of directors of the risks entailed in neglecting insider threat issues.
  • Few IT groups are given guidance regarding which information assets are most critical, what level of risk is acceptable, or how much should be invested to prevent attacks.

Employees who use personal devices for work-The BYOD Trend

Increasingly, insiders – often unwittingly – expose their employers’ threats by doing work on electronic gadgets.

One team found that companies’ security groups cannot keep up with the dangers posed by the “explosion” of these devices. According to a recent Alcatel-Lucent report, some 11.6 million mobile devices worldwide are infected at any given time, and mobile malware infections increased by 20% in 2013.

In 2012, a foiled attack on DSM, a Dutch multi-national chemical company, was stopped by trained employees,  in  which some employee may had been stupid to try one of the USB thumb drives, which had been placed all over the parking lot!

Thankfully for DSM, an employee who found one of the USB sticks dropped it off at the IT department, which in turn found spyware on the device, issued a warning, and collected the remaining USB devices.

Unfortunately, details on this story are scarce, it’s unclear what malware was used in the attempted attack.

The purpose may have been to steal usernames and passwords, according to Dutch news site Limburger.

DSM also blocked the IP addresses which the malware was to communicate with.

DSM and its associated companies have annual net sales of €10 billion, with approximately 25,000 employees, globally-we hope that all 25,000 are so well trained!

It only takes one moron to adversely affect or disrupt a company.

 

A DSM spokesperson said the company did not report the incident to the police because it was a rather clumsy attempt at data theft.

Also, it was widely reported that delegates attending a G20 summit near Saint Petersburg in 2013, were given USB storage devices and mobile phone chargers, loaded with malware to eavesdrop on the communications-sneaky!

Adopt a robust insider policy

This should address what people need to do deter insiders who introduce risk through carelessness, negligence, or mistakes. The policy must be concise and easy for everyone to – not just security and technology specialists – to understand, access, and adhere to. The rules must apply to all levels of the organization, including senior management.

Monitor employees

Let them know you can and will observe their cyber activity to the extent permitted by law.

You cannot afford to leave cyber security entirely to the experts.

Raise your own day-to-day awareness of what is leaving your systems  (remember Sony), as well as what is coming in,  that means requiring security teams or service providers to produce regular risk assessments, which should include the sources of threats, vulnerable employees and networks, and the possible consequences if a risk becomes a reality.

Measure risk-mitigation behaviors, such as response time to alerts.

Often routers or firewalls can monitor outgoing channels, but you should make sure that the functionality is activated.

If you don’t have the equipment to monitor outgoing traffic, buy it.

Log and monitor other means of exfiltration – USB flash drives and other portable storage media, printouts, and so on – through spot checks or even permanent, airport-style searches of people entering and exiting your buildings. (General Electric and other companies do!)

Ask potential suppliers during pre-contractual discussions about how they manage insider-related risk.

If you hire them, audit them regularly to see that their practices are genuinely maintained.

Make it clear that you will conduct audits, and stipulate what they will involve.

A company might require of suppliers the same controls it uses itself: screening employees for criminal records, checking the truth of job candidates’ employment histories, monitoring access to its data and applications for unauthorized activity, preventing intruders from entering sensitive physical premises.

For monitoring to be effective, diligently manage the privileges of all employees – including those with the highest levels of access to company systems, who are often the instigators of insider attacks.

Prune your list of most privileged users regularly – and then watch the ones who remain to verify that they deserve your trust.

Look for insider-threat-detection systems that can predict possibly preventable events as well as find events that have already occurred.

Big data can be helpful in linking clues and providing warnings, malware-detection software can be useful.

Particularly in outsider-insider collaborations, a key initial step is introducing malware into the network.

The most effective strategy for defusing the cyber threat posed by insiders is to use the protective technologies available and fix weak points in them, but focus ultimately on getting all insiders to behave in a way that keeps the company safe.

People need to know what behaviors are acceptable or unacceptable.

Remind them that protecting the organization also protects their jobs too-all are stakeholders in this battle!

 

What you can do?

Some of the most important activities that non-tech leaders should ask of their IT departments are:

  • Monitoring all traffic leaving the enterprise network via the internet or portable media, and promptly reporting anything unusual or in violation of policy,
  • Staying current with best practices for supporting cyber security strategy and policy,
  • Rigorously implementing network defense procedures and protocols that take into account the operational priorities of the business,
  • Actively updating user accounts to ensure that employees never have more access to sensitive computer systems than is absolutely necessary,
  • Making frequent threat assessments and briefing the company’s leadership on them, and
  • Get UFI involved in the process-UFI Your Trusted Partner in Cyber Security.